Search…
UI Authentication
This page describes how authentication works for the TrilioVault for Kubernetes UI
TVK supports authentication via KubeConfig files and via Dex an IDP plugin for other Identity Providers.

Role-Based Access Control

Trilio aims to keep the UI completely stateless where each Kubernetes user is able to configure their specific UI experience based on the specific clusters (installed with TVK) they have access to.
Since Trilio supports both namespace installation and cluster scope installation, understanding the resulting user experience becomes important.

Scenario 1

    1.
    TVK is installed at a cluster scope level
    2.
    User A has access to namespace 1, 2 and 3
    3.
    User B has access to namespace 2 and 3
    4.
    No specific RBAC has been set on the Trilio CRDs
User A and User B will only see the namespaces that they have access to when they access the UI. Both users will be able to perform TrilioVault actions without any restrictions

Scenario 2

    1.
    TVK is installed at a namespace level scope within Namespace 1
    2.
    User A has access to namespace 1, 2 and 3
    3.
    User B has access to namespace 2 and 3
    4.
    No specific RBAC has been set on the Trilio CRDs
User A will only see namespace 1 when logged into the UI. Namespace 1 will show as a single namespace cluster within the UI. User B will not see any clusters (or namespaces) within the UI (blank UI) when they log in.

Minimal ClusterRole for UI Access

Requirements for accessing the TVK console for cluster and namespace installs.

Cluster Install

The following ClusterRole shows the minimal configuration required to access the TVK management console.
1
apiVersion: rbac.authorization.k8s.io/v1
2
kind: ClusterRole
3
metadata:
4
name: svcs-role
5
rules:
6
- apiGroups: ["triliovault.trilio.io"]
7
resources: ["*"]
8
verbs: ["get", "list"]
9
- apiGroups: ["triliovault.trilio.io"]
10
resources: ["policies"]
11
verbs: ["create"]
Copied!

Namespace Install

If TVK has been installed at a Namespace level, then a minimum of read access over the namespace is required to access the management console.
Some Kubernetes clusters may contain cloud-specific exec action or use auth-provider configuration to fetch the authentication token within the kubeconfig file. Since the binaries for the specific cloud service may not available on the setup where the user is providing the config file, TVK may not be able to fetch the token and populate it in the kubeconfig.
In order to support authentication for these cloud providers, follow the steps below to create a kubeconfig file with a custom kubeconfig consisting of a service account token and cluster data.
Last modified 29d ago